1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
2 #ifndef _UAPI_NF_CONNTRACK_COMMON_H
3 #define _UAPI_NF_CONNTRACK_COMMON_H
4 /* Connection state tracking for netfilter.  This is separated from,
5    but required by, the NAT layer; it can also be used by an iptables
6    extension. */
7 enum ip_conntrack_info {
8 	/* Part of an established connection (either direction). */
9 	IP_CT_ESTABLISHED,
10 
11 	/* Like NEW, but related to an existing connection, or ICMP error
12 	   (in either direction). */
13 	IP_CT_RELATED,
14 
15 	/* Started a new connection to track (only
16            IP_CT_DIR_ORIGINAL); may be a retransmission. */
17 	IP_CT_NEW,
18 
19 	/* >= this indicates reply direction */
20 	IP_CT_IS_REPLY,
21 
22 	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
23 	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
24 	/* No NEW in reply direction. */
25 
26 	/* Number of distinct IP_CT types. */
27 	IP_CT_NUMBER,
28 
29 	/* only for userspace compatibility */
30 #ifndef __KERNEL__
31 	IP_CT_NEW_REPLY = IP_CT_NUMBER,
32 #else
33 	IP_CT_UNTRACKED = 7,
34 #endif
35 };
36 
37 #define NF_CT_STATE_INVALID_BIT			(1 << 0)
38 #define NF_CT_STATE_BIT(ctinfo)			(1 << ((ctinfo) % IP_CT_IS_REPLY + 1))
39 #define NF_CT_STATE_UNTRACKED_BIT		(1 << 6)
40 
41 /* Bitset representing status of connection. */
42 enum ip_conntrack_status {
43 	/* It's an expected connection: bit 0 set.  This bit never changed */
44 	IPS_EXPECTED_BIT = 0,
45 	IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
46 
47 	/* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
48 	IPS_SEEN_REPLY_BIT = 1,
49 	IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
50 
51 	/* Conntrack should never be early-expired. */
52 	IPS_ASSURED_BIT = 2,
53 	IPS_ASSURED = (1 << IPS_ASSURED_BIT),
54 
55 	/* Connection is confirmed: originating packet has left box */
56 	IPS_CONFIRMED_BIT = 3,
57 	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
58 
59 	/* Connection needs src nat in orig dir.  This bit never changed. */
60 	IPS_SRC_NAT_BIT = 4,
61 	IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
62 
63 	/* Connection needs dst nat in orig dir.  This bit never changed. */
64 	IPS_DST_NAT_BIT = 5,
65 	IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
66 
67 	/* Both together. */
68 	IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
69 
70 	/* Connection needs TCP sequence adjusted. */
71 	IPS_SEQ_ADJUST_BIT = 6,
72 	IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
73 
74 	/* NAT initialization bits. */
75 	IPS_SRC_NAT_DONE_BIT = 7,
76 	IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
77 
78 	IPS_DST_NAT_DONE_BIT = 8,
79 	IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
80 
81 	/* Both together */
82 	IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
83 
84 	/* Connection is dying (removed from lists), can not be unset. */
85 	IPS_DYING_BIT = 9,
86 	IPS_DYING = (1 << IPS_DYING_BIT),
87 
88 	/* Connection has fixed timeout. */
89 	IPS_FIXED_TIMEOUT_BIT = 10,
90 	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
91 
92 	/* Conntrack is a template */
93 	IPS_TEMPLATE_BIT = 11,
94 	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
95 
96 	/* Conntrack is a fake untracked entry.  Obsolete and not used anymore */
97 	IPS_UNTRACKED_BIT = 12,
98 	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
99 
100 	/* Conntrack got a helper explicitly attached via CT target. */
101 	IPS_HELPER_BIT = 13,
102 	IPS_HELPER = (1 << IPS_HELPER_BIT),
103 
104 	/* Conntrack has been offloaded to flow table. */
105 	IPS_OFFLOAD_BIT = 14,
106 	IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT),
107 
108 	/* Be careful here, modifying these bits can make things messy,
109 	 * so don't let users modify them directly.
110 	 */
111 	IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
112 				 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
113 				 IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),
114 
115 	__IPS_MAX_BIT = 15,
116 };
117 
118 /* Connection tracking event types */
119 enum ip_conntrack_events {
120 	IPCT_NEW,		/* new conntrack */
121 	IPCT_RELATED,		/* related conntrack */
122 	IPCT_DESTROY,		/* destroyed conntrack */
123 	IPCT_REPLY,		/* connection has seen two-way traffic */
124 	IPCT_ASSURED,		/* connection status has changed to assured */
125 	IPCT_PROTOINFO,		/* protocol information has changed */
126 	IPCT_HELPER,		/* new helper has been set */
127 	IPCT_MARK,		/* new mark has been set */
128 	IPCT_SEQADJ,		/* sequence adjustment has changed */
129 	IPCT_NATSEQADJ = IPCT_SEQADJ,
130 	IPCT_SECMARK,		/* new security mark has been set */
131 	IPCT_LABEL,		/* new connlabel has been set */
132 	IPCT_SYNPROXY,		/* synproxy has been set */
133 #ifdef __KERNEL__
134 	__IPCT_MAX
135 #endif
136 };
137 
138 enum ip_conntrack_expect_events {
139 	IPEXP_NEW,		/* new expectation */
140 	IPEXP_DESTROY,		/* destroyed expectation */
141 };
142 
143 /* expectation flags */
144 #define NF_CT_EXPECT_PERMANENT		0x1
145 #define NF_CT_EXPECT_INACTIVE		0x2
146 #define NF_CT_EXPECT_USERSPACE		0x4
147 
148 
149 #endif /* _UAPI_NF_CONNTRACK_COMMON_H */
150